Karl Heinz Marbaise created MDEP-891: ----------------------------------------
Summary: Used undeclared dependencies found for class which is used by and indirect class Key: MDEP-891 URL: https://issues.apache.org/jira/browse/MDEP-891 Project: Maven Dependency Plugin Issue Type: Bug Components: analyze-only Affects Versions: 3.6.1, 3.6.0 Reporter: Karl Heinz Marbaise Fix For: waiting-for-feedback Attachments: SO-mvn-question-main.zip Based on an example described on [StackOverflow|https://stackoverflow.com/questions/77360885/maven-dependency-plugin-3-6-started-to-find-new-used-undeclared-dependencies] with the example project https://github.com/DmitryTen/SO-mvn-question which can be used as reproducer (attached that example to the issue). The failure starts happening with {{Maven Dependency Plugin:3.6.0}}: {code} [INFO] --- dependency:3.6.0:analyze-only (analyze-dependencies) @ test --- [ERROR] Used undeclared dependencies found: [ERROR] org.springframework:spring-web:jar:5.3.5:compile [INFO] ----------------------------------------------------------------- {code} If we change the version of the plugin to 3.5.0: {code} [INFO] --- dependency:3.5.0:analyze-only (analyze-dependencies) @ test --- [INFO] No dependency problems found [INFO] Copying org.example:test:pom:1.0-SNAPSHOT to project local repository [INFO] Copying org.example:test:jar:1.0-SNAPSHOT to project local repository [INFO] Copying org.example:test:pom:consumer:1.0-SNAPSHOT to project local repository [INFO] ---------------------------------------------------------------------------------- {code} After a bit more diving into it, it looks like the upgrade of the {{maven-dependency-analyzer:1.3.2}} in release 3.6.0 of the {{maven-dependency-plugin}} (https://issues.apache.org/jira/projects/MDEP/versions/12352921) caused that issue. If I use an older version of {{maven-dependency-plugin}} for example 3.5.0 and upgrade there the {{maven-dependency-analyzer:1.3.1}} it will fail with the same output. The version {{maven-dependency-analyzer:1.3.0}} will work fine. I have taken a look into the code of the classes: The class {{StandaloneVaultConfig}} which is created in the example project uses {{AppRoleAuthentication}} which is part of {{org.springframework.vault:spring-vault-core}}. The usage of classes from {{org.springframework:spring-web:jar:5.3.5:compile}} happening in the class {{AppRoleAuthentication}}. -- This message was sent by Atlassian Jira (v8.20.10#820010)